You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
mTLS (client certificate authentication) is included in the Enterprise distribution of Spice.ai. [Learn more](https://docs.spice.ai/docs/enterprise).
126
+
:::
127
+
128
+
mTLS extends standard TLS by requiring the client to also present a certificate during the TLS handshake. This provides cryptographic authentication of both the server and the client.
129
+
130
+
### Enable mTLS via spicepod.yaml
131
+
132
+
Set `client_auth_mode` to `request` or `required` and provide a CA bundle to verify client certificates:
133
+
134
+
```yaml
135
+
runtime:
136
+
tls:
137
+
enabled: true
138
+
certificate_file: /path/to/server.crt
139
+
key_file: /path/to/server.key
140
+
client_auth_mode: required
141
+
client_auth_ca_file: /path/to/client-ca.pem
142
+
```
143
+
144
+
### Enable mTLS via command line
145
+
146
+
```bash
147
+
spiced --tls-enabled true \
148
+
--tls-certificate-file /path/to/server.crt \
149
+
--tls-key-file /path/to/server.key \
150
+
--tls-client-auth-mode required \
151
+
--tls-client-auth-ca-file /path/to/client-ca.pem
152
+
```
153
+
154
+
### Client auth modes
155
+
156
+
| Mode | Behavior |
157
+
|------|----------|
158
+
| `none` *(default)* | Standard one-way TLS. No client certificate is requested. |
159
+
| `request` | The server requests a client certificate but accepts connections without one. Presented certificates are verified against the CA. Useful for migration or audit-only deployments. |
160
+
| `required` | A valid client certificate is required. The Flight listener rejects no-cert connections at the TLS handshake. The HTTP listener admits no-cert connections so `/health` and `/v1/ready` remain accessible for Kubernetes probes, but all other HTTP endpoints return 401 without a verified client certificate. |
Kubernetes liveness/readiness probes (`/health`, `/v1/ready`) and the metrics endpoint (`/metrics`) are always accessible without a client certificate, even under `client_auth_mode: required`.
182
+
183
+
### Client CA hot-reload
184
+
185
+
When `client_auth_ca_file` is used, the CA bundle is watched for changes and reloaded atomically alongside the server certificate and key. When `client_auth_ca` (inline) is used, the CA is loaded once at startup.
186
+
187
+
For a complete walkthrough, see the [mTLS Cookbook recipe](https://github.com/spiceai/cookbook/tree/trunk/mtls).
If none of these are set the connector will default to using a [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
Copy file name to clipboardExpand all lines: website/docs/components/data-connectors/elasticsearch/index.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -138,7 +138,7 @@ TLS is enabled automatically for `https://` endpoints.
138
138
- Nested object fields are exposed as JSON strings rather than structured columns.
139
139
- `date`and `date_nanos` fields are preserved as strings because Elasticsearch accepts heterogeneous date formats; cast to a timestamp in SQL when numeric comparison is required.
140
140
- `dense_vector`fields without a declared `dims` value fall back to `Utf8` and are not usable as a vector column.
141
-
- The connector issues a single `_search` request per query. The result set is capped at 10,000 hits (the Elasticsearch `index.max_result_window` default). Queries with `LIMIT N` fetch `min(N, 10000)` rows; queries without `LIMIT` return at most 10,000 rows. For larger result sets, accelerate the dataset.
141
+
- For queries with `LIMIT N` where N ≤ 10,000, the connector issues a single `_search` request. For larger result sets or queries without `LIMIT`, the connector automatically paginates using Point-In-Time (PIT) + `search_after`, fetching all matching documents in 10,000-hit batches.
142
142
- Pushdown of SQL predicates to Elasticsearch query DSL is limited; complex filter expressions are evaluated locally by DataFusion after fetching results.
143
143
144
144
Elasticsearch can also be configured as a [Vector Engine](../vectors/elasticsearch) for datasets sourced from other connectors (storing Spice-managed embeddings in Elasticsearch rather than querying an existing index).
Copy file name to clipboardExpand all lines: website/docs/components/data-connectors/flightsql.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -40,6 +40,10 @@ The dataset name. This will be used as the table name within Spice. The dataset
40
40
| `flightsql_username` | Optional. The username to use in the underlying Apache flight Handshake Request to authenticate to the server (see [reference](https://arrow.apache.org/docs/format/Flight.html#authentication)). |
41
41
| `flightsql_password` | Optional. The password to use in the underlying Apache flight Handshake Request to authenticate to the server. Use the [secret replacement syntax](../secret-stores/) to load the password from a secret store, e.g. `${secrets:my_flightsql_pass}`. |
42
42
| `flightsql_tls_ca_certificate_file` | Optional. Path to a CA certificate file (PEM format) to use for TLS verification instead of system certificates. |
43
+
| `flightsql_tls_client_certificate_file` | Optional. Path to a PEM client certificate chain for mutual TLS (mTLS). Must be set together with `flightsql_tls_client_key_file`. Mutually exclusive with `flightsql_tls_client_certificate`. |
44
+
| `flightsql_tls_client_key_file` | Optional. Path to the PEM private key matching `flightsql_tls_client_certificate_file`. Must be set together with `flightsql_tls_client_certificate_file`. Mutually exclusive with `flightsql_tls_client_key`. |
45
+
| `flightsql_tls_client_certificate` | Optional. Inline PEM client certificate chain for mutual TLS (mTLS). Use the [secret replacement syntax](../secret-stores/) to load from a secret store, e.g. `${secrets:my_cert}`. Must be set together with `flightsql_tls_client_key`. Mutually exclusive with `flightsql_tls_client_certificate_file`. |
46
+
| `flightsql_tls_client_key` | Optional. Inline PEM private key for mutual TLS (mTLS). Use the [secret replacement syntax](../secret-stores/) to load from a secret store, e.g. `${secrets:my_key}`. Must be set together with `flightsql_tls_client_certificate`. Mutually exclusive with `flightsql_tls_client_key_file`. |
| `scylladb_host` | Hostname(s) of ScyllaDB nodes. Comma-separated for multiple nodes. | Yes | - |
71
-
| `scylladb_hosts` | Alternative to `scylladb_host`. Comma-separated list of hostnames. | No | - |
70
+
| `scylladb_host` | Hostname(s) of ScyllaDB nodes. Comma-separated for multiple nodes. Either `scylladb_host` or `scylladb_hosts` must be provided. | Yes* | - |
71
+
| `scylladb_hosts` | Alternative to `scylladb_host`. Comma-separated list of hostnames. Either `scylladb_host` or `scylladb_hosts` must be provided. | Yes* | - |
72
72
| `scylladb_port` | ScyllaDB CQL native transport port. | No | `9042` |
73
73
| `scylladb_keyspace` | The keyspace to use for queries. | Yes | - |
74
74
| `scylladb_user` | Username for authentication. | No | - |
75
75
| `scylladb_pass` | Password for authentication. | No | - |
76
76
| `scylladb_datacenter` | Preferred datacenter for connection routing. | No | - |
77
-
| `scylladb_ssl` | Enable SSL/TLS for connections. Not yet implemented — the parameter is accepted but has no effect. | No | `false` |
77
+
| `scylladb_ssl` | Enable SSL/TLS for connections. Not yet implemented — the parameter is accepted but has no effect. | No | - |
78
78
| `connection_timeout` | Connection timeout in milliseconds. | No | `10000` |
0 commit comments